How Devolutions helps organizations meet key IAM controls in ISO/IEC 27001:2022

As a security framework, ISO/IEC 27001:2022 covers a wide range of organizational, physical, and technical controls. Among these, Identity and Access Management (IAM) stands out as one of the major principles of ISO, as many controls rely on how identities are managed and how access to systems is granted, monitored, and restricted.

To help customers navigate this complexity, Devolutions provides a Compliance page that maps its products to the controls addressed across major security frameworks, including ISO/IEC 27001. This page gives organizations clear visibility into which controls are supported by Devolutions’ solutions today, how they can be leveraged as part of a broader compliance strategy, and how existing product capabilities can help build a solid business case for ISO/IEC 27001 certification efforts.

This is where Devolutions Server (DVLS), Devolutions Hub, Devolutions Remote Desktop Manager (RDM), Devolutions Gateway, Workspace, and Devolutions PAM provide real, practical support.

Below are some of the most critical IAM-related controls and how Devolutions helps organizations comply with them.

1) 5.16 – Identity management

“The full life cycle of identities shall be managed.”

Why it matters: ISO 27001 expects the full lifecycle from onboarding to offboarding to be managed.

How Devolutions helps:

• Integrations with AD, Azure AD, SCIM, and SSO ensure identities follow your existing directory lifecycle.
• Role-Based Access Control (RBAC) keeps vault and credential access aligned with user roles.
• Just-in-time privileged access via Devolutions PAM prevents permanent elevated rights.

Result: Identity lifecycle becomes operational, automated, and auditable.

2) 5.17 – Authentication information

“Allocation and management of authentication information shall be controlled.”

Why it matters: ISO 27001 focuses heavily on how passwords, keys, tokens, and secrets are stored and rotated.

How Devolutions helps:

• Encrypted vaults in DVLS and Hub centralize all secrets securely.
• Password and key rotation through PAM reduces stale credentials.
• Credential injection (RDM, Workspace) lets users authenticate without ever seeing passwords.
• MFA across the product suite strengthens overall authentication.

Result: Strong, centralized, policy-driven management of all authentication information.

3) 5.18 – Access rights

“Access rights shall be provisioned, reviewed, modified and removed according to policy.”

Why it matters: The standard expects organizations to define their own access control policies and ensure that identity and access management follows those rules consistently.

How Devolutions helps:

• DVLS and Hub provide centralized access lifecycle management.
• Access reviews are simplified with clear visibility into vault permissions, privileged accounts, and user roles.
• Gateway enforces segmentation, ensuring that even legitimate credentials cannot bypass network controls.

Result: Access rights remain aligned with policy throughout their entire lifecycle.

4) 8.2 – Privileged access rights

“The use of privileged access shall be restricted and managed.”

Why it matters: Because privileged accounts are a frequent target for malicious threats, their management and monitoring are closely examined during ISO/IEC 27001 audits.

How Devolutions helps:

• Full PAM capabilities: password vaulting, session recording, approval workflows, just-in-time access.
• Secure session brokering via Devolutions Gateway—no more exposed RDP/SSH ports.
• Detailed logs provide evidence for auditors and support incident investigations.

Result: Privileged access becomes controlled, monitored, and transparent.

5) 8.3 – Information access restriction

“Access shall be restricted according to approved policies.”

Why it matters: ISO/IEC 27001 expects access control policies to be supported by practical, technical enforcement, not just documented rules.

How Devolutions helps:

• RBAC, folder permissions, and segmented vaults ensure strict information boundaries.
• Credential injection prevents users from viewing sensitive secrets, reducing insider and phishing risks.
• Gateway adds network-level segmentation, reinforcing logical access controls.

Result: A practical, enforceable least-privilege model across identities, connections, and secrets.

Want to go further?

Over the coming months, additional security frameworks will be added to the Devolutions Compliance Page, further detailing which controls are addressed by Devolutions product features. This will give customers ongoing visibility into how Devolutions continues to support evolving compliance and security requirements.